Bug 271596: editcomponents priv allows you to see/edit products you don't have access to - Patch by Frédéric Buclin <LpSolit@gmail.com> r=wicked a=justdave

author: lpsolit%gmail.com <> 2005-12-12 12:12:25 +0100
committer: lpsolit%gmail.com <> 2005-12-12 12:12:25 +0100
commit: e2f691c9eb53c6a9c8b02b740b444e6d558e35e8 (patch)
tree: 4b6c4e4809ae76a0d15d5242ac9943038ce1ff1e /editproducts.cgi
parent: 545a57e3d1866c18cce29dae67da2bd48e775ef0 (diff)
download: bugzilla-e2f691c9eb53c6a9c8b02b740b444e6d558e35e8.tar.gz
bugzilla-e2f691c9eb53c6a9c8b02b740b444e6d558e35e8.tar.xz
1 files changed, 38 insertions, 15 deletions
diff --git a/editproducts.cgi b/editproducts.cgi
index b4007a2f4..2b7c5dc5d 100755
--- a/editproducts.cgi
+++ b/editproducts.cgi
@@ -82,15 +82,10 @@ if (Param('useclassification')
     && !$classification_name
     && !$product_name)
 {
-    my @classifications =
-        Bugzilla::Classification::get_all_classifications();
+    $vars->{'classifications'} = $user->get_selectable_classifications;
     
-    $vars->{'classifications'} = \@classifications;
-    
-    $template->process("admin/products/list-classifications.html.tmpl",
-                       $vars)
+    $template->process("admin/products/list-classifications.html.tmpl", $vars)
         || ThrowTemplateError($template->error());
-
     exit;
 }
 
@@ -101,19 +96,19 @@ if (Param('useclassification')
 #
 
 if (!$action && !$product_name) {
-    my @products;
+    my $products;
 
     if (Param('useclassification')) {
         my $classification = 
             Bugzilla::Classification::check_classification($classification_name);
 
-        @products = @{$classification->products};
+        $products = $user->get_selectable_products($classification->id);
         $vars->{'classification'} = $classification;
     } else {
-        @products = Bugzilla::Product::get_all_products;
+        $products = $user->get_selectable_products;
     }
 
-    $vars->{'products'} = \@products;
+    $vars->{'products'} = $products;
     $vars->{'showbugcounts'} = $showbugcounts;
 
     $template->process("admin/products/list.html.tmpl", $vars)
@@ -327,9 +322,13 @@ if ($action eq 'new') {
 #
 
 if ($action eq 'del') {
-    
+    # First make sure the product name is valid.
     my $product = Bugzilla::Product::check_product($product_name);
 
+    # Then make sure the user is allowed to edit properties of this product.
+    $user->can_see_product($product->name)
+      || ThrowUserError('product_access_denied', {product => $product->name});
+
     if (Param('useclassification')) {
         my $classification = 
             Bugzilla::Classification::check_classification($classification_name);
@@ -353,8 +352,12 @@ if ($action eq 'del') {
 #
 
 if ($action eq 'delete') {
-    
+    # First make sure the product name is valid.
     my $product = Bugzilla::Product::check_product($product_name);
+
+    # Then make sure the user is allowed to edit properties of this product.
+    $user->can_see_product($product->name)
+      || ThrowUserError('product_access_denied', {product => $product->name});
     
     $vars->{'product'} = $product;
 
@@ -425,9 +428,13 @@ if ($action eq 'delete') {
 #
 
 if ($action eq 'edit' || (!$action && $product_name)) {
-
+    # First make sure the product name is valid.
     my $product = Bugzilla::Product::check_product($product_name);
 
+    # Then make sure the user is allowed to edit properties of this product.
+    $user->can_see_product($product->name)
+      || ThrowUserError('product_access_denied', {product => $product->name});
+
     if (Param('useclassification')) {
         my $classification; 
         if (!$classification_name) {
@@ -476,8 +483,13 @@ if ($action eq 'edit' || (!$action && $product_name)) {
 #
 
 if ($action eq 'updategroupcontrols') {
-
+    # First make sure the product name is valid.
     my $product = Bugzilla::Product::check_product($product_name);
+
+    # Then make sure the user is allowed to edit properties of this product.
+    $user->can_see_product($product->name)
+      || ThrowUserError('product_access_denied', {product => $product->name});
+
     my @now_na = ();
     my @now_mandatory = ();
     foreach my $f ($cgi->param()) {
@@ -739,8 +751,13 @@ if ($action eq 'update') {
 
     my $checkvotes = 0;
 
+    # First make sure the product name is valid.
     my $product_old = Bugzilla::Product::check_product($product_old_name);
 
+    # Then make sure the user is allowed to edit properties of this product.
+    $user->can_see_product($product_old->name)
+      || ThrowUserError('product_access_denied', {product => $product_old->name});
+
     if (Param('useclassification')) {
         my $classification; 
         if (!$classification_name) {
@@ -971,7 +988,13 @@ if ($action eq 'update') {
 #
 
 if ($action eq 'editgroupcontrols') {
+    # First make sure the product name is valid.
     my $product = Bugzilla::Product::check_product($product_name);
+
+    # Then make sure the user is allowed to edit properties of this product.
+    $user->can_see_product($product->name)
+      || ThrowUserError('product_access_denied', {product => $product->name});
+
     # Display a group if it is either enabled or has bugs for this product.
     my $groups = $dbh->selectall_arrayref(
         'SELECT id, name, entry, membercontrol, othercontrol, canedit,
author	lpsolit%gmail.com <>	2005-12-12 12:12:25 +0100
committer	lpsolit%gmail.com <>	2005-12-12 12:12:25 +0100
commit	e2f691c9eb53c6a9c8b02b740b444e6d558e35e8 (patch)
tree	4b6c4e4809ae76a0d15d5242ac9943038ce1ff1e /editproducts.cgi
parent	545a57e3d1866c18cce29dae67da2bd48e775ef0 (diff)
download	bugzilla-e2f691c9eb53c6a9c8b02b740b444e6d558e35e8.tar.gz bugzilla-e2f691c9eb53c6a9c8b02b740b444e6d558e35e8.tar.xz